Description
DNG SDK versions 1.7.1 2502 and earlier are affected by an out-of-bounds write vulnerability that could lead to application denial-of-service. An attacker could leverage this vulnerability to corrupt memory, causing the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Published: 2026-04-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Application denial of service
Action: Apply Patch
AI Analysis

Impact

An out‑of‑bounds write in Adobe’s DNG SDK allows a malicious file to corrupt memory when it is opened. The corruption can cause the application to crash or become unresponsive, resulting in a denial‑of‑service condition for that process and possibly the entire system. The weakness is a classic buffer overrun, classified as CWE‑787.

Affected Systems

Adobe DNG SDK versions 1.7.1 2502 and earlier are affected. Any installation that includes these builds and processes DNG files is subject to potential exploitation.

Risk and Exploitability

The CVSS severity rating of 5.5 indicates a medium level of risk, but the lack of a publicly available EPSS score makes it unclear how often this flaw is actively targeted. The flaw is not listed in CISA’s KEV catalog, suggesting no widespread active exploitation. Because a victim must open a malicious file, the attack vector is local or requires user interaction, which limits the scope but still represents a real threat to users who accept unknown media.

Generated by OpenCVE AI on April 14, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe DNG SDK to version 1.7.1 2503 or later.
  • Test the upgraded SDK in a controlled environment before deployment.
  • Verify that applications using the SDK no longer process the same vulnerability, and monitor logs for unexpected crashes.

Generated by OpenCVE AI on April 14, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe dng Software Development Kit
CPEs cpe:2.3:a:adobe:dng_software_development_kit:*:*:*:*:*:*:*:*
Vendors & Products Adobe dng Software Development Kit

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe dng Sdk
Vendors & Products Adobe
Adobe dng Sdk

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description DNG SDK versions 1.7.1 2502 and earlier are affected by an out-of-bounds write vulnerability that could lead to application denial-of-service. An attacker could leverage this vulnerability to corrupt memory, causing the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title DNG SDK | Out-of-bounds Write (CWE-787)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Dng Sdk Dng Software Development Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-04-14T19:27:37.471Z

Reserved: 2026-02-18T22:02:41.386Z

Link: CVE-2026-27258

cve-icon Vulnrichment

Updated: 2026-04-14T19:23:03.895Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:56.247

Modified: 2026-04-15T19:46:39.793

Link: CVE-2026-27258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses